I have observed a disturbing trend when it comes to discussing IT security: that most of the conversation revolves around the securing the physical layer, securing the network, and making sure that the latest patches for the OS and application are installed.
Wait what, make sure the latest patches are installed? How about make sure that the software has been coded securely?
So why not? I think it's because of the mindset. Let's backpedal through the history of computers. Computers as we know it really boomed around the time of Windows 95.
Sure, computers have been around long before that; but, it was a geek toy; and not a visible part of society. Windows 95 was full of security holes, computer viruses were flying around as much as the first 10 elements of the periodic table do. This whole thing got so bad that it was a general rule never to buy the newest version of Windows (at least until Windows XP) until SP1 came out; basically people were expecting it to be broken.
Honestly, I think things just got worst with the proliferation of broadband internet services that even set-top devices have facilities for patching it. Who would have thought that you'll be able to stick a USB drive on the back of your TV to update the firmware?
So, how does the question of "why less emphasis on software security"? It's a mindset issue. The public in general have become desensitized to software patching that it's permeated to IT security.
Yes, I'm blaming the public for allowing software developers like me to write code that could lead to one-off errors, buffer overflow, and NULL pointer dereferencing; basically containing zero-day vulnerabilities. Now that I've pointed out what I feel is the root cause of all zero-day bugs in the world, I'm making a run for it.
The only real fix for this is a mindset shift. At the minimum, software developers need to code defensively regardless of the scope of the project; because, this needs to become a habit.
Coding standards should include requirements that all compiler warnings should be resolved--or document the reason why it's left unresolved. The standards should also require that static and dynamic analysis be done on software.
Considering that many of the open-source software that we use today to run enterprises started out as a curious itch; I believe that a mindset shift will do us a tremendous amount of good in the long term.
Cross-posted from Home+Power